Alan Calder on IT Governance, information security & ISO 27001

You would think that, after a number of years banking with an institution – putting money in every day, writing cheques, doing transfers, that sort of thing – that the institution would know who you were? Well, you would, wouldn’t you?

Apparently not.

Our foreign business is growing rapidly and we need to open a US$ bank account – while we can deposit US$ cheques to our sterling account, it’s expensive and it costs again when we want to pay suppliers in US$. Anyway, our sterling corporate bank account and one of the director’s personal bank accounts are at the same branch of a national bank. Have been for years. We just want to add a corporate US$ account to our accounts there.

No can do, says the Bank. Although we know you, we don’t know you – not for foreign currency accounts, anyway. So, here are some new forms for you to fill in and please, when you’ve filled in them in, we need all the officers and directors of the company to come into the branch, bringing their personal identification, and to identify themselves to the bank officials. We know you’ve got nothing else to do during the business day. It’s the Anti-Money Laundering regulations, you see.

Is that the same AML regulations that have enabled alleged terrorists to fund a series of aborted and actual atrocities?

Here’s the tip of a nasty iceberg for all those multinationals that have happily offshored various functions in recent years. You sort of expect a bank to get its security right, don’t you? Maybe not…HSBC is now in pursuit of a former Indian employee who has compromised the bank’s security and defrauded 20 customers to the tune of $425k.

Is this a case of a bank failing to adapt its security policies and procedures to the local environment, or is it just a case of lax bank approaches to information security? It seems to me that banks spend an inordinate amount of money on technological security – all of which, one way or another, makes life more difficult and complicated for their long-suffering customers – but are unable to take appropriate actions at the human level. Yet, more than half of all information security incidents are generated by people inside an organisation’s secure perimeter.

I’m sure that the national skills registry the article talks of is a step in the right direction, but HSBC hadn’t even bothered to join it. The fact that this particular criminal wasn’t in the registry database is a separate issue; HSBC clearly doesn’t have a robust employee vetting process in place – something that ISO 27001 insists on as a basic information security management requirement.

While NatWest Bank in the UK seems to be doing nicely by boasting that its call centres are not offshored (although there is a big gap between the quality of their service and their rhetoric), Powergen is not alone in reversing its offshoring policy. But if offshoring made sense in the first place, why not follow through on that initial investment and develop an appropriate information security environment? Wouldn’t it be cheaper for these organisations to focus on the human aspects of information security – on proper employee vetting and on training and supervision, for example – than on investing in offshoring and then, equally expensively, reversing that decision?

Citigroup announced earlier this week that personal details of 3.9 million consumer lending customers were lost by UPS while en route to a credit bureau.

How do you lose a set of tapes? I mean, UPS are supposed to be good at handling parcels – particularly ones that contain valuable information. Aren’t they?

And if you were CEO of Citigroup, and you knew that it was not unknown for storage partners to lose this sort of data (Time Warner, for instance, had lost 600,000 records just the month before), might you not have built the possibility into your risk assessment? (They do, I’m sure, do risk assessments at Citigroup.) And if you had, then might you not have spotted and provided for this risk as part of the “enhanced security procedures you require of your couriers”?

Or should we be thinking that the unenhanced security procedures were closer to, well, not much, really?

I’m sure we won’t be told.

Fujitsu say they have done some research which, usefully for their bio-metrics product, says that one in three banking customers would like their banks to install bio-metric technologies in order to reduce phishing and online fraud.

A spokesman does seem to have spotted one of the problems with a palm-reading device to authenticate any ATM transactions: getting customers to come in and register their palms (the ones on their hands).

It’s really difficult to see the commercial value, to the banks, in deploying this technology. Only one in five recipients of a phishing e-mail actually responds to it, which means that the number of people at risk is quite small. You can download a (free) browser bar that will tell you if you’re on a known phishing site and people who haven’t bothered to do something as simple as that – and who are still falling for phishing e-mails – are hardly going to go to the trouble of getting their palms recorded, are they?

So, what about shoulder-surfing and ATM scams? Well, they’re not that difficult for even a semi-alert person to deal with. And it’s the alert people – the ones who would take precautions to make sure they weren’t scammed at the ATM – who are likely to take the trouble of getting their hands scanned. So, no real benefit for the banks there, then.

People go on eating junk food, they go on smoking, they go on drinking – all these things are potentially terminal f0r them, but they go on doing them. And if people will go on doing things that are fun but deadly, what says they’ll bother doing something that’s not much fun in order to avoid something that might also not be much fun? I could be wrong, but let’s watch how fast the hand-scanning idea catches on….

APACs has recently said that UK banks can’t be expected to go on compensating the victims of “phishing” attacks. I’m astonished that they ever did in the first place! And it’s hardly surprising that, when there is no cost to stupidity, people go on falling for these frauds.

“Phishing” attacks follow a fairly standard pattern: spam e-mails, that look like they come from a bank (they use bank logos and internet addresses that include the bank’s name) ask the recipient to urgently log on and confirm their internet banking details. The reasons given for why you should do this are plausible but fraudulent. All banks say, in crystal clear terms on the home page for their internet banking sites, that they would never ask customers to ” confirm details” of their accounts across the internet. And this is just common sense: banks invest very substantially in their computer and information security systems and have to comply with stringent data protection and privacy legislation – they would never be in a position where you had to “re-confirm” your data to them.

These particular fraud has now had a lot of newspaper coverage as well. Surely we’ve reached the point where the banks should simply say: “if you fall for this fraud, please report it to the police. We will keep having fraudulent sites taken down as fast as you notify us of them, but we will not compensate you for your losses.” Would such a stance, combined with some newspaper headlines, not encourage internet bank users to be accountable for their own actions?